@ Qualys. 


SAP IQ Authentication 


Thank you for your interest in authenticated scanning! When you configure and use 
authentication, you get a more in-depth assessment of your hosts, the most accurate results and 
fewer false positives. This document provides tips and best practices for setting up SAP IQ 
authentication for compliance scans. 


A few things to consider 


Why should I use authentication? 


With authentication, we can remotely log in to each target system with credentials that you 
provide, and because we’re logged in we can do more thorough testing. This will give you better 
visibility into each system's security posture. Is it required? Yes, it’s required for compliance 
scans. 


Are my credentials safe? 


Yes, credentials are exclusively used for READ access to your system. The service does not 
modify or write anything on the device in any way. Credentials are securely handled by the 
service and are only used for the duration of the scan. 


Which technologies are supported? 


For the most current list of supported authentication technologies and the versions that have 
been certified for VM and PC by record type, please refer to the following article: 


Authentication Technologies Matrix 


What are the steps? 


First, set up a SAP IQ user account and privileges (on target hosts) for authenticated scanning. 
Then, using Qualys Policy Compliance, complete these steps: 1) Add a SAP IQ authentication 
record. 2) Launch a compliance scan. 3) Run the Authentication Report to find out if 
authentication passed or failed for each scanned host. 


SAP IQ Credentials 


We've provided a set of scripts below to help you set up an account and privileges which must 
exist prior to running scans. These scripts require an Admin account. Please run the scripts 
provided, in the order shown. The role and scan account need to be created in the database you 
want to scan. 


1) Create a Role for the Scan Account 


This script creates a role for the user account to be used for scanning. It also grants privileges to 
the role needed for successful authentication and compliance scanning. We recommend 
creating a role called QUALYS_ROLE. 


CREATE ROLE QUALYS ROLE; 
GRANT MONITOR to QUALYS ROLE; 


`~ 
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2) Create a User Account 


This script creates a scan user account. Please provide a password before running the script. The 
script also grants the role created in Step 1 to the account. Tip - We recommend creating an 
account called QUALYS_SCAN. 


CREATE USER QUALYS SCAN IDENTIFIED BY <password>; 
GRANT ROLE QUALYS ROLE to QUALYS SCAN; 


3) Verify Privileges on the Scan Account 


3a) Verify that you login to SAP IQ Database as QUALYS_SCAN and can run below query 
successfully. 


select count(1) from sysusers; 


3b) Verify that the QUALYS_SCAN account has all the privileges listed in the below table in order 
to run a successful compliance scan for the database you want to scan. Log into the instance 
using the Admin account, then run the following query to verify the privilege assigned to the 
‘QUALYS_SCAN’ account. 


CALL sp_displayroles( 'QUALYS SCAN', ‘expand _down', 'ALL' ) ; 


Expected output: 


role name parent_role name grant_type role_level 
PUBLIC (NULL) NO ADMIN il 
QUALYS_ROLE (NULL) NO ADMIN 1 
SMS PUBLIC NO ADMIN 2 
dbo PUBLIC NO ADMIN 2 
MONITOR QUALYS_ROLE NO ADMIN 2 


Did you get different results? Contact your SAP IQ DBA to ensure that privileges are set up 
correctly. 
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SAP IQ Authentication Records 


You'll create SAP IQ authentication records in Qualys to associate credentials to hosts (IPs). 

You'll need to supply a user name and password (or use password vault), the database you want 
to authenticate to and the port the database is on. This record type is only available in accounts 
with PC or SCA, and is only supported for compliance scans. 


How do | get started? 


Go to Scans > Authentication, and then go to 
New > Databases > SAP IQ. 


In the SAP IQ record, you'll see Authentication Type: 
Basic selected by default on the Login Credentials 
tab. Enter the user name and password to use for 
authentication. 


Can I access a password in a vault? 


Yes. We support integration with multiple third party 
password vaults. To use vaults, first go to Scans > 
Authentication > New > Authentication Vaults and 
tell us about your vault system. 


In the SAP IQ record, choose Authentication Type: 
Vault based on the Login Credentials tab and select 
your vault type and vault record. At scan time, we'll 
authenticate to hosts using the account name in your 
record and the password we find in your vault. 


New SAP IQ Record 


Record Title Authentication 
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Global Default 


] Global Default 
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Applications > 
Databases... b Azure MS SQL 
VMware. b IBM DB2 
System Record Templates... > InformixDB 
PR MariaDB 
Authentication Vaults 
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Launch Help 


Login Credentials > 


IPs Authentication Type: 


Vault based KA 


Username* Enter username 


Comments 


Vault Type 


CA Access Control 
CyberArk PIM Suite 
CyberArk AIM 


Vault Record*: 


Database Information 


Provide login credentials for the SAP IQ database. You also have the option to get the login password from a vault available in your account. 


Hitachi ID PAM 
Tell us the name and port the database _ 
Lieberman ERPM 
Quest Vault 
Thycotic Secret Server 
BeyondTrust PBPS 
Wallix AdminBastion (WAB) 
HashiCorp 
Azure Key 
CA PAM 
Arcon PAM 


Database Name* 


Installation Directory: 


Cancel 
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È /opt/sybase 


atabase instance to authenticate to. For Unix hosts, the installation directory is also required. 


What database information is required? 


On the Login Credentials tab, tell us the database name to authenticate to and the port the 
database is running on. The installation directory name is required only for Unix based hosts. 


New SAP IQ Record Launch Help 


Record Title > Authentication 


Login Credentials > Provide login credentials for the SAP IQ database. You also have the option to get the login password from a vault available in your account. 


Authentication Type: Basic Mi 


IPs > 


Username”: 
Comments > Enter username 


Password*: 
Confirm Password”: 


C Enable Password Encryption 


Database Information 


Tell us the name and port the database is running on and we'll find the database instance to authenticate to. For Unix hosts, the installation directory is also required. 
Database Name*: Enter Database Name 


Installation Directory: Enter Installation Path 


Required for Unix based hosts. Example: /opt/sybase 


cot ED 


Which IPs should | add to my record? 


Select the IP addresses for the SAP IQ databases that the scanning engine should log into using 
the specified credentials. 


New SAP IQ Record Launch Help 


Record Title IPs 


Login Credentials Add IPs to your SAP IQ record 


IPs Enter or Select IPs/Ranges: Select IPs/Ranges | Select Asset Group | Remove | Clear 


Example: 192,168.0.87-192.168.0.92, 192,168.0.200 
Comments 


O Display each IP/Range on new line 
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